Local clerks say they’re ready for the Russians

Ingham County Clerk Barb Byrum said the 2018 elections will “absolutely” go forward, even if hackers take out the whole power grid. In the event of a cyberattack, she said, paper ballots will be counted by battery-powered tabulators — in candlelight, if necessary.

According to cybersecurity expert Joseph Lorenzo Hall, local officials like Byrum “are on notice that they are now on the front lines of cybersecurity.”

“We have to ‘cowboy up’ state and local election officials to better deal with nation–state threats,” Hall said last month in an interview for the Washington, D.C.-based Center for Democracy and Technology, where Hall leads the Internet Architecture Project.

Lansing City Clerk Chris Swope sounded as if he were casually twirling a set of spurs emblazoned with the city seal. “I’m not terribly worried,” he said. “I think Michigan has a pretty good handle on it.”

Swope’s staff isn’t blithely opening emails, though.

“We got a communication from the state Feb. 16 that some clerks had gotten something that looked like a phishing attack,” Swope said. “It gave some hints on what can be a clue to a phishing scam.”

The ace in Michigan’s hand, Byrum said, is the state’s paper ballot system.

“When you vote in Michigan, there is always a paper that the voter takes and puts into a tabulator,” Byrum said.

But she is still on guard against an ever-changing array of threats.

“I’m learning about new and improved cyberattacks and steps we can take to mitigate that risk,” she said. “It would be foolish to say we are completely secure and safe.”

Byrum said she is “absolutely not” satisfied that she has a clear channel to the U.S. Department of Homeland Security.

In late March, the U.S. Senate Intelligence Committee released a set of recommendations on ways to fight the expected onslaught of Russian hacking, including “clear channels of communication” between local election officials and DHS.

“If you want clear channels of communication, that’s relying on phone and Internet to work, and that may not be the case,” Bryum said.

Byrum said her worst nightmare is “technology down.”

For the November 2016 election, she had a two-way radio sitting on her desk, in case communications lines failed.

“In Ingham County, our phone, fax, email is all Internet based,” Byrum said. “If they took out our communication, we still know how to write, and post things on windows, but communicating to the area would have really been difficult.”

The day before the 2016 presidential election, the state’s Bureau of Elections asked every county clerk to check in, using the radio.

“It was like, ‘Dee-deet! Ingham County!’” Byrum said. “But that’s very limited. Michigan has 83 counties. Think of 83 county clerks on that little radio channel.”

About a month before the election, local clerks like Swope test the ballot tabulation programming done by Byrum’s office.

“Then everything is locked up until Election Day,” Byrum said.

When the polls close, tabulators count the votes and store the ballots. Unofficial results are uploaded to Byrum’s election computer, which generates a report that is transferred to the Internet to report the results.

“As many controls as Ingham County could put on it, I have put on it,” Byrum said.

There are post-election safeguards as well. The day after the election, the Ingham County Board of Canvassers, two Democrats and two Republicans, compare the poll books — written records of how many people came in to vote — to the reported results.

“If those numbers don’t match, they figure out, were there spoiled ballots? Did someone walk away with a ballot?” Byrum said.

In Ingham County and Lansing, the vulnerable points in the process, where data is transferred via computer, are either not hooked to the Internet, or they are handled via encrypted VPNs, or Virtual Private Networks.

“Our programming for our ballots is not on line,” Swope said. “The computer we use to put the result on thumb drives — the equipment has never been connected to the Internet.”

“The Russians cannot hack our system because election results do not go through the Internet,” he said. “They are all processed and transmitted through secure channels.”

Nevertheless, Byrum hopes the feds will follow through on the Intelligence Community’s recommendations.

“It would be nice to have a main contact with DHS or have them be able to contact us directly without having to use Google,” she said.

Cybersecurity expert Hall urged the feds to support local clerks.

“These guys are the lowest resourced people out there, regularly protecting against the greatest threats we face, which is nation states,” Hall said.

Byrum agreed that elections are “not properly funded in Michigan.”

Until the August 2017 primary, Ingham county was running elections on computers that were over 12 years old and ran on Windows XP, she said.

“That is not he case now, but it’s embarrassing that it was the case for so long,” Bryrum said.

She added that “cowboying up” means getting more cowboys as well as fresh saddles.

“It’s not just about embracing the new technology, it’s about being properly staffed, and that’s not the case in Michigan,” she said. “We need to respect the election officials and their duties and obligations and properly staff those offices.”

The next challenge for local officials, and for the American electoral process, is a growing tension between making elections more secure from hacking and making it easier to vote.

“There are people in Michigan and elsewhere that are skeptical of having a totally secure online registration system, or any type of online voting,” Dreyfus said.

But he still believes that in 20 or 30 years, voting will be done totally on line.

“You’ll just look at your watch and speak to it, who you’re voting for governor,” he said.

“I don’t see it,” Swope said. “I believe in the paper ballot.”

Dreyfus admitted that on line technology will open up “a world of problems.”

“Sooner or later, when the state is fully engaged in it, there will be a huge hack, a big meltdown,” he said. “It will require a whole new level of security mechanisms.”